Most people know that when a Cisco router boots up it checks
the Configuration Register for instructions on where to find the Cisco IOS
software. The Configuration register is 16 bits in length and does more
than just point to the IOS, it has other important functions as well.
Knowing what the Configuration Register is and how to modify it will definitely
save your bacon one day. Modifying the Config Register is the basis for
defeating password protection on a Cisco router, a skill no one should be
without. Here to teach us about the Configuration Register is
Darva Conger. At first Darva would not return our calls, but when we told
her she would meet a CCIE and we told her how much money CCIE's make, she was
here the next day! Ladies and Gentlemen, Darva Conger:

Welcome, today's little talk is about the
Configuration Register. I'll do my best to explain it to you but
please keep in mind that I'm just a simple girl and I don't have a
technical background. I'd also like to say that even though I like
to marry rich strangers on TV and pose naked for pornographic magazines,
I am an old fashioned, God fearing gal who just wants my life
back.

You know, sometimes a Cisco router is a lot like me,
beautiful on the outside but completely screwed up on the inside.
When a Cisco router screws up, it is usually because a well meaning
person configured it improperly. Often improperly modifying the
Configuration Register will cause your router to act like a dizzy
blonde!

Did you know that the Cisco router was invented by a sweet
married couple from San Francisco? I think that's special. They're
not married anymore but they are millionaires so who cares, right? Anyway,
they used to build these routers on the kitchen table using salvaged hard drives
and scrapped automobiles from the local junk yard. Back then the Configuration
Register was a series of 16 dip switches that you could configure by removing
the oil pan and sliding the switches with a screwdriver. These switches
were subject to vibration, especially when the router was pulling a trailer or
climbing one of those steep hills in San Francisco. They soon determined
that if the Configuration Register setting were stored on a chip, the router
would be more reliable.

Cisco routers have come a long way since the days when you
needed a spark plug wrench and a timing light to configure them, but they still
operate in a similar fashion. When you fire up a Cisco router, you will no
longer hear the powerful throb of a Chevy rat motor, instead you will hear the
quiet hum of the cooling fan. When the router starts, it first does a POST
or Power On Self Test, then it looks at the Configuration Register for where to
locate the IOS, then it loads the IOS and the loads the Config from NVRAM.

"You can meet many affluent men at
the gym"

The Configuration Register is a 16 bit field that is
converted into a hexadecimal value for convenience. As you know
each hexadecimal character represents 4 bits. Hexadecimal numbers
go from 0 to F and represent decimal numbers from 0 to 15.
Hexadecimal numbers generally are preceded by a 0x to clue us in on the
fact that we are looking at a hexadecimal number. By default a
Cisco router has a Configuration Register setting of 0x0101 so the
actual 16 bits would look like 0000000100000001 so now you see that
finally there is a use for the hexadecimal numbering system! The
bits in the Configuration Register are numbered 0 to 15 and you start from the far right:

15

14

13

12

11

10

9

8

7

6

5

4

3

2

1

0

So for every 4 bits we translate that into hex, observe the
following typical Configuration Register:

2

1

0

2

0

0

1

0

0

0

0

1

0

0

0

0

0

0

1

0

Each bit position serves a function with the exception of bits
4, 5 and 9 which were used in the early days when Cisco routers used a gas engine,
but are not currently used. Here is what each bit position is used for:

0

Boot Field

Set to ON by default

1

Boot Field

2

Boot Field

3

Boot Field

4

Headlight Relay

No longer used

5

Horn Relay

No longer used

6

Ignore NVRAM

Very cool

7

OEM

No practical function

8

Ignore Console Break

Set to ON by default

9

Starter Solenoid

No longer used

10

IP Broadcast

Works with bit 14

11

Console Connection Speed

12

Console Connection Speed

13

Boot to flash if Netboot fails

Not a bad idea

14

IP Broadcast

Works with bit 10

15

Ignore NVRAM

Diagnostic messages

The fields in gray you can ignore, the fields in green are
that you will typically be interested in. The boot field if set to 0 will
boot into ROMMON mode and not load any IOS. If the boot field is set to 1
then the first IOS image found in flash will be loaded. If the boot field
is set from 2 to F then the router loads the system image specified by boot
system commands in the startup configuration file. When the startup
configuration file does not contain boot system commands, the router
tries to load a default system image stored on a network server.

If the number 6 bit is switched on, the router will not load
the configuration file stored in NVRAM and will load IOS without any
configuration. This is a how you do password recovery, you boot up the
router and hit the break key, this will dump you into ROMMON mode, from here you
use the confreg utility to alter the Configuration Register so that when
you boot the machine it doesn't pull the config from NVRAM, then you can edit
the password in the config, then don't forget to change the
Configuration-Register while you are in IOS so that when you reload it will load
the contents of NVRAM and you're in like Flint!

The Configuration Register can be set in ROMMON or in
IOS. In IOS the command is: config-register 0x2101 of
course substitute the value you want. If
the third hex digit from the left is 4 that means skip whatever's in
NVRAM. Bits 11 and 12 set the console connection speed,
9600 is as fast as it will go and you get that speed by leaving those
bits set to 0. Bits 10 and 14 control if IP broadcasts are sent
using all zeros or all ones, leave these bits set to 0, the factory
default. Bit 8 controls the break key, leave it set ON this way if
your router has been up for 30 days and you accidentally send a break to
the router, it won't suddenly drop everything and go into ROMMON
mode. The router will always respond to a break key sent right
away when booting up. Although you will never need to dick around
with the bits 8,10,11 and 12 pay attention to your Config Register
because even though you know better, your workmates will change these
values every couple of days for reasons unknown. Check the value
of your Configuration Register by using the show version command.